From a2c83cb0fd401cfe4e584395307dd951c76af6ee Mon Sep 17 00:00:00 2001 From: Paul Holzinger Date: Mon, 8 Jul 2024 13:32:23 +0200 Subject: [PATCH] SetupRootless(): only reexec when needed We should never try to reexxec when we are already root with CAP_SYS_ADMIN. The code contained a bug when --cgroups=disabled is used as it tried to perfom a reexec even when it was not needed. Fixes: 900e29549a ("libpod: do not move podman with --cgroups=disabled") Signed-off-by: Paul Holzinger --- pkg/domain/infra/abi/system_linux.go | 19 ++++++++++--------- 1 file changed, 10 insertions(+), 9 deletions(-) diff --git a/pkg/domain/infra/abi/system_linux.go b/pkg/domain/infra/abi/system_linux.go index db51f4d4d0..6dd99554cd 100644 --- a/pkg/domain/infra/abi/system_linux.go +++ b/pkg/domain/infra/abi/system_linux.go @@ -30,15 +30,16 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool, } } - configureCgroup := cgroupMode != "disabled" - if configureCgroup { + hasCapSysAdmin, err := unshare.HasCapSysAdmin() + if err != nil { + return err + } + + // check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set. + if os.Geteuid() == 0 && hasCapSysAdmin { // do it only after podman has already re-execed and running with uid==0. - hasCapSysAdmin, err := unshare.HasCapSysAdmin() - if err != nil { - return err - } - // check for both euid == 0 and CAP_SYS_ADMIN because we may be running in a container with CAP_SYS_ADMIN set. - if os.Geteuid() == 0 && hasCapSysAdmin { + configureCgroup := cgroupMode != "disabled" + if configureCgroup { ownsCgroup, err := cgroups.UserOwnsCurrentSystemdCgroup() if err != nil { logrus.Infof("Failed to detect the owner for the current cgroup: %v", err) @@ -55,8 +56,8 @@ func (ic *ContainerEngine) SetupRootless(_ context.Context, noMoveProcess bool, } } } - return nil } + return nil } pausePidPath, err := util.GetRootlessPauseProcessPidPath()